Sign in to follow this  
Followers 0
imhim

CHIP n PIN

12 posts in this topic

A Cambridge University professor has accused the bank cards industry of making a ''very nasty attempt at censorship'' over a flaw in chip and PIN technology.

The UK Cards Association (UKCA), which represents the country's biggest banks, wrote to the university to try to remove the online publication of research which shows how a £20 hand-held device could be used to buy goods without entering the correct PIN.

Melanie Johnson, a former Labour Treasury minister who is now chair of the UKCA, wrote to the university's director of communications earlier this month saying the publication ''oversteps the boundaries of what constitutes responsible disclosure''.

She (news) said the paper, The Smart Card Detective, by MPhil research student Omar Choudary, ''places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN''.

She said the type of attack described was ''difficult to undertake'' and ''unlikely to interest genuine fraudsters'' but said the ''level of detail'' published was worrying and asked for the research to be removed.

And she said police had expressed concern the student ''was allowed to falsify a transaction in a shop in Cambridge (E2:J91U.SI - news) without first warning the merchant''.

Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory, said: ''This was absolutely unacceptable. It was a very very nasty attempt at censorship.''

He said exposing vulnerabilities in the system was an example of ''responsible disclosure'' and said the industry had been guilty of ''sitting on their butts and doing nothing'' since he and fellow scientists first revealed the flaw in late 2009.

In a response letter dated December 24, he wrote: ''You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient.

''This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.''

He continued: ''You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.''

Prof Anderson said he had authorised the thesis to be issued as a Computer Laboratory (Dusseldorf: LAB.DU - news) technical report, saying: ''This will make it easier for people to find and to cite, and will ensure that its presence on our website is permanent.''

He said there was no basis for police concern as there was no intent to commit fraud, as the card holder gave his consent and the merchant was paid.

He added that Barclays Bank (NYSE: BCS-PA - news) did appear to have closed the technological loophole although other banks were yet to fix the problem.

A UKCA spokeswoman said: ''The UK Cards Association has written to Cambridge not to challenge the work of the university's security academics but only to challenge whether publishing explicit details of how to attempt a fraud - specifically one which there is no evidence of a fraudster yet undertaking - is necessary and serving the public's best interest.

''We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters - as unfortunately it is only the fraudsters who stand to gain from any lack of cooperation between us.''

She said it was questionable whether publishing a ''DIY guide for fraudsters'' was ''in the best interests of the card-holding public''.

And she said while ''nothing is 100% secure'' fraud on UK issued cards had dropped to £186.8 million in the first six months of the year, down 20% on the same period in 2009

http://uk.finance.yahoo.com/news/Banks-trying-hide-chip-pin-tele-2478931782.html

0

Share this post


Link to post
Share on other sites

A student used a £20 device to pay for something without entering his pin.

He then published it on the web and told the world how chip & pin dont work.

They (bank companies) are now trying to shut him down

3

Share this post


Link to post
Share on other sites

Im Him, do You have a link to his info / methods?

-3

Share this post


Link to post
Share on other sites

I read this guys thesis

Theres alot of information there to actually make or buy your own device, however he doesn't give the source code for the SCD to allow you to bypass the PIN.

0

Share this post


Link to post
Share on other sites

I read this guys thesis

Theres alot of information there to actually make or buy your own device, however he doesn't give the source code for the SCD to allow you to bypass the PIN.

it's only a matter of time

0

Share this post


Link to post
Share on other sites

*strokes chin*

got an itch fam?

yes thanks for asking you chich

1

Share this post


Link to post
Share on other sites

surely if its a software exploit they can patch it

but instead they sat on it because no fraudster had done it before

glad to know how proactive they are in keeping technology secure

0

Share this post


Link to post
Share on other sites

Glad it was at Cambridge. If that sh*t was at UEL the dude would've been shut down nicely.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0